Remove child domain manually through parent domain

Hi experts,

My child domain broke and never back.

Now I try remove him from parent domain, but I can not remove.

I already try all steps on this post http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23545584.html

But without sucess.

Regards
LVL 9
abolinhasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
So the child domain is "dead" meaning no DCs and no objects at all?  What happens when you do try to remove it using ntdsutil

http://support.microsoft.com/kb/230306

Thanks

Mike
0
abolinhasAuthor Commented:
Yes, I alredy try this and I get this error

metadata cleanup: remove selected domain
DsRemoveDsDomainW error 0x2162(The requested domain could not be deleted because
 there exist domain controllers that still host this domain.)

0
Mike KlineCommented:
Do you still have any DCs for that child domain?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

abolinhasAuthor Commented:
no, only my parent domain
0
snusgubbenCommented:
See if this will help you get further: http://support.microsoft.com/kb/251307
0
abolinhasAuthor Commented:
I can not find this option "Flexible Single Master Operation" in Sites and Services.
0
snusgubbenCommented:
That was a very bad written KB.

The way I think they mean is:

1. Open AD Sites & Services
2. Expand Sites
3. Expand <child domain>
4. Delete the computer objects located under Servers

Then try to run the metadata cleanup.

Mike please advice if you disagree.
0
abolinhasAuthor Commented:
Hi snusgubben

Take a look on screenshot error
site-services-error.PNG
0
snusgubbenCommented:
You could try do delete the connection objects located under NTDS Settings.

This is not a recomended thing to do in a production domain environment as they will become NULL objects and stall replication. If this is the case when you're going to remove the child, I can't say 100% for sure.
0
abolinhasAuthor Commented:
another error, check the screenshot
site-services-error1.PNG
0
Mike KlineCommented:
Sorry I've been out today (real job was busy)

Is that WIN-MH...box the DC for the child domain?  Is it the only one left?

Thanks

Mike
0
abolinhasAuthor Commented:
Yes
0
abolinhasAuthor Commented:
WIN-MH.. Is a name of the server of my death child domain "evora.florasul.lan" and I want remove him
0
abolinhasAuthor Commented:
Check the picture
domain-trust.PNG
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
abolinhasAuthor Commented:
COOOLLL, I already remove the death domain, thanks to you :)

After remove, I run dcdiag /v /c and I find some records relating to the death domain.

* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
Downstream topology is disconnected for
CN=Configuration,DC=florasul,DC=lan.
Home server DC01 can't get changes from these servers:
   Default-First-Site-Name/WIN-MH38UR7NKBC
* Analyzing the connection topology for DC=florasul,DC=lan.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=evora01,DC=florasul,DC=lan.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC01 failed test Topology


It is normal ?
0
snusgubbenCommented:
See if there is a replication object in Sites & Services (under NTDS) called Win-MH.....

If it is (or is not) right click DC1's NTDS Setting > All Tasks > Check Replication Topology
0
snusgubbenCommented:
and a failed test is not normal :)
0
abolinhasAuthor Commented:
check the image
replication-topology.PNG
0
abolinhasAuthor Commented:
0
snusgubbenCommented:
Run "repadmin /replsum" from DC01 and see the latest replication cycle.
0
abolinhasAuthor Commented:
C:\Users\Administrator>repadmin /replsum
Replication Summary Start Time: 2010-04-14 14:57:12

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 CHLD01                    09m:46s    0 /   4    0
 DC01                      02m:12s    0 /   4    0


Destination DSA     largest delta    fails/total %%   error
 CHLD01                    02m:19s    0 /   4    0
 DC01                      09m:46s    0 /   4    0
0
snusgubbenCommented:
Replication is fine.
0
snusgubbenCommented:
Still errors in the dcdiag?
0
abolinhasAuthor Commented:
I found this errors.
 Starting test: DFSREvent

         The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An error event occurred.  EventID: 0xC00004B2

            Time Generated: 04/14/2010   03:19:00

            Event String:

            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.

             

            Additional Information:

            Error: 160 (One or more arguments are not correct.)

         ......................... DC01 failed test DFSREvent

            Enterprise DNS infrastructure test results:

               For parent domain florasul.lan and subordinate domain evora01:
                                                                        ........
................. florasul.lan failed test DNS


No refereces to death child domain now
0
snusgubbenCommented:
The DFS error can be due to the DNS error. Run:

dnslint /ad /s <ip-address of authoritative DNS server> /v

Look for errors

0
abolinhasAuthor Commented:
C:\Users\Administrator>dnslint /ad /s 192.168.2.1 /v
'dnslint' is not recognized as an internal or external command,
operable program or batch file.

I run this from parent or chield?
0
abolinhasAuthor Commented:
Only this
DNS server: User Specified DNS Server
IP Address: 192.168.1.101
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown
0
abolinhasAuthor Commented:
This informartion appears on both servers (parent and child)

So, the only error on dcdiag is
 The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An error event occurred.  EventID: 0xC00004B2

            Time Generated: 04/14/2010   03:19:00

            Event String:

            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
0
snusgubbenCommented:
We need to be sure your DNS is in shape.

dnslint: http://download.microsoft.com/download/2/7/2/27252452-e530-4455-846a-dd68fc020e16/dnslint.v204.exe

Does this command work: dcdiag /test:dns

Is your DNS AD integrated?

Have you delegated the root zone or _msdcs zone to your child domain? or is the child holding the root zone as a secondary zone, or do you use a stub zone?

Can you from the child resolve queries to your parent and vica versa?


SG
0
abolinhasAuthor Commented:
I already did the test, and I found only this on both servers (parent and child)
DNS server: User Specified DNS Server
IP Address: 192.168.1.101
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown
Notes:
One or more DNS servers may not be authoritative for the domain
0
abolinhasAuthor Commented:
192.168.1.101 is the ip of parent domain
0
snusgubbenCommented:
Is your DNS AD-integrated? (open DNS management consol > right click "domain.com" > Properties - General tab)
0
abolinhasAuthor Commented:
yes it is
0
snusgubbenCommented:
Then they should be able to say if they are authoritative for the zone. DNSLint will check all authoritative NS, but it seems like it fail :(

Did: "dcdiag /test:dns" work?
0
abolinhasAuthor Commented:
From parent
C:\Users\Administrator>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC01 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : florasul

   Running enterprise tests on : florasul.lan
      Starting test: DNS
         ......................... florasul.lan passed test DNS



From Child
c:\dnslint>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = chld01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CHLD01
      Starting test: Connectivity
         ......................... CHLD01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CHLD01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... CHLD01 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : evora01

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running enterprise tests on : florasul.lan
      Starting test: DNS
         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 208.67.220.220 ()
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.220.220

            DNS server: 208.67.222.222 ()
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.222.222

         ......................... florasul.lan passed test DNS


208.67.222.222 and 208.67.220.220 are my forwards ip's to internet (opendns)

0
snusgubbenCommented:
Please post an "ipconfig /all" from your child DC
0
abolinhasAuthor Commented:
From CHILD
Windows IP Configuration

   Host Name . . . . . . . . . . . . : chld01
   Primary Dns Suffix  . . . . . . . : evora01.florasul.lan
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : evora01.florasul.lan
                                       florasul.lan
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network Connecti
on
   Physical Address. . . . . . . . . : 00-30-48-D6-8C-5E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8537:7804:3ad6:c900%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.2.254
   DHCPv6 IAID . . . . . . . . . . . : 234893384
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-53-C4-F5-00-30-48-D6-8C-5E

   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
                                       192.168.1.101
   NetBIOS over Tcpip. . . . . . . . : Enabled


From PARENT
Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : florasul.lan
   Node Type . . . . . . . . . . . . : Mixed
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : florasul.lan

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration #2
   Physical Address. . . . . . . . . : 00-30-48-CE-7E-B1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c166:5cba:d8de:ad93%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 302002248
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-39-82-A6-00-30-48-CE-7E-B0

   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
snusgubbenCommented:
DNS server: 208.67.220.220 (<name unavailable>)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.220.220

You are sending internal domain queries to opendns... That's not correct and will never work.

Remove the loop back address 127.0.0.1 and let the DC only use itself as preferred DNS. (IP not loop back)

On both parent and child:

ipconfig /flushdns
ipconfig /registerdns

Restart the netlogon service and run "dcdiag /test:dns"



0
abolinhasAuthor Commented:
so, what I need to put instead 127.0.0.1 the ip address of server, like 192.168.2.101 ?
0
abolinhasAuthor Commented:
check my forwarders table

dns2.PNG
0
snusgubbenCommented:
yep

your parent DC should have 192.168.1.101 as DNS and your child DC 192.168.2.101.

Nothing else during troubleshooting
0
snusgubbenCommented:
Remove the child from the forwarding table. You basically say that queries parent DC can't resolve should be forwarded to the child DC...
0
abolinhasAuthor Commented:
FROM PARENT:
C:\Users\Administrator>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC01
      Starting test: Connectivity
         ......................... DC01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... DC01 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : florasul

   Running enterprise tests on : florasul.lan
      Starting test: DNS
         ......................... florasul.lan passed test DNS



FROM CHILD:
c:\dnslint>dcdiag /test:dns

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = chld01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CHLD01
      Starting test: Connectivity
         ......................... CHLD01 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CHLD01

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... CHLD01 passed test DNS

   Running partition tests on : DomainDnsZones

   Running partition tests on : evora01

   Running partition tests on : ForestDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running enterprise tests on : florasul.lan
      Starting test: DNS
         Test results for domain controllers:

            DC: chld01.evora01.florasul.lan
            Domain: evora01.florasul.lan


               TEST: Basic (Basc)
                  Warning: adapter
                  [00000007] Intel(R) 82575EB Gigabit Network Connection has
                  invalid DNS server: 192.168.2.101 (CHLD01)
                  Error: all DNS servers are invalid

               TEST: Forwarders/Root hints (Forw)
                  Error: All forwarders in the forwarder list are invalid.
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.

            TEST: Records registration (RReg)
               Error: Record registrations cannot be found for all the network
               adapters

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 128.8.10.90

            DNS server: 192.168.2.101 (CHLD01)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 192.168.2.101

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 192.5.5.241

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 198.41.0.4

            DNS server: 208.67.220.220 ()
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.220.220

            DNS server: 208.67.222.222 ()
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.florasul.lan. faile
d on the DNS server 208.67.222.222

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: evora01.florasul.lan
               chld01                       PASS FAIL FAIL PASS PASS FAIL n/a

         ......................... florasul.lan failed test DNS
0
snusgubbenCommented:
DNS on the child domain is misconfigured.

The query "_ldap._tcp.florasul.lan" is forwared to your forwarders/root hints (public DNS servers). Looks like the child don't know about the _msdcs zone in the parent domain (root domain).

Have you delegated the _msdcs zone or root zone from your parent?
0
abolinhasAuthor Commented:
0
snusgubbenCommented:
Those SS looks correct, but something is wrong as you forward internal queries out of the house.

How is the Forwarding setup in the child?

I'll be gone for some hours (football match you know :| ).

Dunno if Mkline is online and can help you?
0
abolinhasAuthor Commented:
"How is the Forwarding setup in the child?" I don't understand your question.

"I'll be gone for some hours (football match you know :| )."  Good lock and win :) I love football to.

Dunno if Mkline is online and can help you? Sure, no problem, I appreciate all the help.

Thanks

0
snusgubbenCommented:
I ment Forwarding in the child domain. Just like you showed from the parent DNS.

http:#30736491

It's getting late where I'm located and I'll soon be off to bed. If you are in a hurry I recomend you to create a new question in the EE DNS zone (do not add additional zones).

There are a DNS misconfiguration in the child as internal queries should never be forwarded out of your domain.
0
abolinhasAuthor Commented:
I set Forwardes manualy.

Please tell me, what is the best way to explain my problem in new question.

Thanks
0
snusgubbenCommented:
A suggestion:

Subject: Child domain DNS configuration

Body:

Internals DNS queries are forwarded to public DNS servers.

TEST: Basic (Basc)
 Warning: adapter
 [00000007] Intel(R) 82575EB Gigabit Network Connection has
 invalid DNS server: 192.168.2.101 (CHLD01)
 Error: all DNS servers are invalid

DNS server: 208.67.222.222 (<name unavailable>)
 1 test failure on this DNS server
 Name resolution is not functional. _ldap._tcp.florasul.lan. failed
 on the DNS server 208.67.222.222

Also post IP-address of child domain DC and IP's to DNS server set on the NIC.

-----------
That's a start :)

0
abolinhasAuthor Commented:
208.67.222.222 is a external ip and is used to forward to internet.
0
snusgubbenCommented:
Yes, but this query: "_ldap._tcp.florasul.lan" should be passed and answered by your parent DNS.

The child DNS can't resolve this query and should therefor forward it to the parent DNS (that is authoritative for the "florasul.lan" zone). Looks to me like it just forward the query to your forwarders (public DNS).
0
abolinhasAuthor Commented:
The main goal of this question was resolved, finally I managed to remove the dead domain.

About DNS issue I open a new question.

snusgubben and mkline71 many thanks for your help.

Best regards

André Bolinhas
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.